def register_Etcd(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='RPORT',required=True, description="Port to connect",value=""),
BaseOption(name='TARGETURI',required=True, description='base URI of etcd',value='/')
])
def register_client_dns(self):
self.register_options([
BaseOption(name='SRVPORT', required=True, description= 'The local port to listen on.', value=445 ),
BaseOption(name='SMBServerMaximumBuffer', required=True, description= 'The maximum number of data in megabytes to buffer', value=2 ),
BaseOption(name='SMBServerIdleTimeout', required=True, description= 'The maximum amount of time to keep an idle session open in seconds', value=120)
])
def register_llmnr(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='AndroidMeterpreterDebug', required=False, description="Run the payload in debug mode, with logging enabled" ),
BaseOption(name='AndroidWakelock', required=False, description="Acquire a wakelock before starting the payload", value=True ),
BaseOption(name='AndroidHideAppIcon', required=False, description="Hide the application icon automatically after launch" ),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='RPORT', required=True, description="Remote RPORT to Connect",value=5985),
BaseOption(name='DOMAIN', required=True, description='The domain to use for Windows authentification', value='WORKSTATION'),
BaseOption(name='URI', required=True, description="The URI of the WinRM service", value="/wsman" ),
BaseOption(name='USERNAME', required=False, description='A specific username to authenticate as' ),
BaseOption(name='PASSWORD', required=False, description='A specific password to authenticate with' ),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='SERVICE_NAME', required=False, description='The service name' ),
BaseOption(name='SERVICE_DISPLAY_NAME', required=False, description='The service display name'),
BaseOption(name='SERVICE_PERSIST', required=False, description='Create an Auto run service and do not remove it.', value=False),
BaseOption(name='SERVICE_DESCRIPTION', required=False, description="Service description to to be used on target for pretty listing")
])
def register_llmnr(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='JavaMeterpreterDebug', required=False, description="Run the payload in debug mode, with logging enabled"),
BaseOption(name='Spawn', required=True, description="Number of subprocesses to spawn", value=2),
BaseOption(name='PingbackRetries', required=True, description="How many additional successful pingbacks", value=0),
BaseOption(name='PingbackSleep', required=True, description="Time (in seconds) to sleep between pingbacks", value=30),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='PATH', required=True, description='The path to the vulnerable script.',value= '/' ),
BaseOption(name='GET', required=False, description="GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", value="" ),
BaseOption(name='POST',required=False, description="POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)",value= "" ),
BaseOption(name='COOKIES',required=False, description="Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", value="" ),
BaseOption(name='HEADERS',required=False, description="Headers to be sent with the request. ('User-Agent=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", value="" ),
])
def register_Drdos(self):
self.target_type = "http"
self.register_options([
BaseOption(name='SRCIP',
required=False,
description='Use this source IP'),
BaseOption(name='NUM_REQUESTS',
required=False,
description='Number of requests to send',
value=1),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='LPATH',
required=False,
description='The path of the local file to utilize'),
BaseOption(
name='FILE_LPATHS',
required=False,
description='A file containing a list of local files to utilize'
)
])
def register_llmnr(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='JavaMeterpreterDebug',
required=False,
description=
"Run the payload in debug mode, with logging enabled"),
BaseOption(name='Spawn',
required=True,
description="Number of subprocesses to spawn",
value=2)
])
def register_client_dns(self):
self.target_type = "http"
self.register_options([
BaseOption(name="URIPATH", required=False, description='The URI to use for this exploit (default is random)'),
BaseOption(name='FILENAME', required=True, description='The file name', value='thg.webarchive'),
BaseOption(name='GRABPATH', required=False, description="The URI to receive the UXSS'ed data", value='grab'),
BaseOption(name='DOWNLOAD_PATH', required=True, description='The path to download the webarchive', value='thg.webarchive'),
BaseOption(name='FILE_URLS', required=False, description='Additional file:// URLs to steal. $USER will be resolved to the username.',),
BaseOption(name='STEAL_COOKIES', required=True, description="Enable cookie stealing", value=True),
BaseOption(name='STEAL_FILES', required=True, description="Enable local file stealing",value=True),
BaseOption(name='INSTALL_EXTENSION', required=True, description="Silently install a Safari extensions (requires click)",value=False),
BaseOption(name='EXTENSION_URL', required=False, description="HTTP URL of a Safari extension to install",value="https://data.getadblock.com/safari/AdBlock.safariextz"),
BaseOption(name='EXTENSION_ID', required=False, description="The ID of the Safari extension to install", value="com.betafish.adblockforsafari-UAMUU4S2D9")
])
def register_client_dns(self):
self.register_options([
BaseOption(
name='VERB',
required=True,
description='HTTP Method to use (for CVE-2010-0738)',
value='POST',
),
#['GET', 'POST', 'HEAD']]
BaseOption(
name='PACKAGE',
required=False,
description='The package containing the BSHDeployer service')
])
def register_Fuzzer(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(
name='FuzzTracer',
required=True,
description=
'Sets the magic string to embed into fuzzer string inputs',
value='MSFROCKS'),
BaseOption(name='FuzzChar',
required=True,
description=
'Sets the character to use for generating long strings',
value='X')
])
def register_Nmap(self):
self.target_type = "http"
self.register_options([
BaseOption(name='RHOSTS',
required=False,
description="list of hosts",
value=""),
BaseOption(name='NMAP_VERBOSE',
required=False,
description='Display nmap output',
volue=True),
BaseOption(
name='RPORTS', required=False,
description='Ports to target'), # RPORT supersedes RPORTS
])
def register_client_dns(self):
self.register_options([
BaseOption(
name='RPATH',
required=False,
description=
'The name of the remote file relative to the share to operate on'
),
BaseOption(
name='FILE_RPATHS',
required=False,
description=
'A file containing a list remote files relative to the share to operate on'
)
])
def thgcmd_show(self, content):
"""
Display module information
Eg:
show info
show options
show missing
"""
if not self.module_instance:
raise ModuleNotUseException()
if content == "info":
info = self.module_instance.get_info()
info_table = []
self.poutput(style("Module info:"))
for item in info.keys():
info_table.append([item + ":", info.get(item)])
self.poutput(tabulate(info_table, colalign=("right", ), tablefmt="plain"), )
if content == "options" or content == "info":
options = self.module_instance.options.get_options()
default_options_instance = BaseOption()
options_table = []
for option in options:
options_table_row = []
for field in default_options_instance.__dict__.keys():
options_table_row.append(getattr(option, field))
options_table.append(options_table_row)
self.poutput(style("Module options:", fg="red"))
self.poutput(style(tabulate(options_table, headers=default_options_instance.__dict__.keys(), ), fg="red"))
if content == "missing":
missing_options = self.module_instance.get_missing_options()
if len(missing_options) is 0:
self.poutput(style("No option missing!"))
return None
default_options_instance = BaseOption()
missing_options_table = []
for option in missing_options:
options_table_row = []
for field in default_options_instance.__dict__.keys():
options_table_row.append(getattr(option, field))
missing_options_table.append(options_table_row)
self.poutput(style("Missing Module options:"))
self.poutput(style(tabulate(missing_options_table,headers=default_options_instance.__dict__.keys(),),))
def register_client_dns(self):
self.register_options([
BaseOption(name='TARGETURI',
required=False,
description='Path to Drupal install',
value='/')
])
def register_client_dns(self):
self.register_options([
BaseOption(name='SERVICE_NAME',
required=False,
description='The service name',
value='WebExService'),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='SMBUser',
required=False,
description='The username to authenticate as',
value=''),
BaseOption(name='SMBPass',
required=False,
description='The password for the specified username',
value=''),
BaseOption(
name='SMBDomain',
required=False,
description='The Windows domain to use for authentication',
value=''),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='NAMED_PIPES',
required=True,
description='List of named pipes to check',
value=wordlists.named_pipes)
])
def register_scanner(self):
self.target_type = "http"
self.register_options([
BaseOption(name='THREADS',
required=True,
description="The number of concurrent threads",
value=1),
BaseOption(name='ShowProgress',
required=True,
description='Display progress messages during a scan',
value=True),
BaseOption(name='ShowProgressPercent',
required=True,
description=
'The interval in percent that progress should be shown',
value=10)
])
def register_timed(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='RUNTIME',
required=True,
description="The number of seconds to run the test",
value=5)
])
def register_llmnr(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='AESPassword',
required=False,
description="Password for encrypting communication",
value=''),
])
def register_client_dns(self):
self.register_options([
BaseOption(name='URIPATH', required=False, description="The URI to use for this exploit (default is random)"),
#Exploit::Remote::HttpServer
BaseOption(name='HTTP::no_cache', required=False, description='Disallow the browser to cache HTTP content', value=False),
BaseOption(name='HTTP::chunked', required=False, description='Enable chunking of HTTP responses via "Transfer-Encoding: chunked"',value=False),
BaseOption(name='HTTP::header_folding', required=False, description='Enable folding of HTTP headers', value=False),
BaseOption(name='HTTP::junk_headers', required=False, description='Enable insertion of random junk HTTP headers', value=False),
BaseOption(name='HTTP::compression', required=False, description='Enable compression of HTTP responses via content encoding', value='none',),
#['none','gzip','deflate']]
BaseOption(name='HTTP::server_name', required=True, description='Configures the Server header of all outgoing replies', value='Apache'),
BaseOption(name='URIHOST', required=False, description='Host to use in URI (useful for tunnels)'),
BaseOption(name='URIPORT', required=False, description='Port to use in URI (useful for tunnels)'),
BaseOption(name='SendRobots', required=False, description='Return a robots.txt file if asked for one', value=False)
])
def register_iax2(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='IAX_HOST',
required=True,
description='The IAX2 server to communicate with'),
BaseOption(name='IAX_PORT',
required=True,
description='The IAX2 server port',
value=4569),
BaseOption(name='IAX_USER',
required=False,
description='An optional IAX2 username'),
BaseOption(name='IAX_PASS',
required=False,
description='An optional IAX2 password',
value=""),
BaseOption(name='IAX_CID_NAME',
required=False,
description='The default caller ID name',
value=''),
BaseOption(name='IAX_CID_NUMBER',
required=True,
description='The default caller ID number',
value='15555555555'),
BaseOption(name='IAX_DEBUG',
required=False,
description='Enable IAX2 debugging messages',
value=False)
])
def register_Mqtt(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
#Opt::RPORT(Rex::Proto::MQTT::DEFAULT_PORT)
BaseOption(
name='CLIENT_ID',
required=False,
description=
'The client ID to send if necessary for bypassing clientid_prefixes'
),
BaseOption(
name='READ_TIMEOUT',
required=False,
description='Seconds to wait while reading MQTT responses',
value=5)
#register_autofilter_ports([Rex::Proto::MQTT::DEFAULT_PORT, Rex::Proto::MQTT::DEFAULT_SSL_PORT])
])
def register_client_dns(self):
self.register_options([
BaseOption(
name='TARGETURI',
required=True,
description='The base path to the wordpress application',
value='/'),
#], Msf::Exploit::Remote::HTTP::Wordpress
BaseOption(name='WPCONTENTDIR',
required=True,
description='The name of the wp-content directory',
value='wp-content'),
BaseOption(
name='WPCHECK',
required=True,
description='Check if the website is a valid WordPress install',
value=True),
#], Msf::Exploit::Remote::HTTP::Wordpress
])
def register_client_dns(self):
self.target_type = "http"
self.register_options([
BaseOption(
name='CERT_PATH',
required=False,
description=
'Path on compiler host to .pfx fomatted certificate for signing',
value=False),
])
def register_Ntp(self, timeout_value=5, threads_value=1):
self.target_type = "http"
self.register_options([
BaseOption(name='RPORT',
required=False,
description="RPORT",
value=123),
BaseOption(name='ENTRIES',
required=False,
description="PII Entry Count",
value=1000),
BaseOption(name='VERSION',
required=True,
description='Use this NTP version',
value=2),
BaseOption(name='IMPLEMENTATION',
required=True,
description='Use this NTP mode 7 implementation',
value=3)
])
def register_client_dns(self):
self.register_options([
BaseOption(
name='NAMEDPIPE',
required=False,
description=
'A named pipe that can be connected to (leave blank for auto)',
value=""),
BaseOption(name='LEAKATTEMPTS',
required=True,
description='How many times to try to leak transaction',
value=99), # Win10 can get stubborn
BaseOption(name='RPORT',
required=True,
description='The Target port',
value=445),
BaseOption(name='DBGTRACE',
required=True,
description="Show extra debug trace info",
value=False),
])